Denial of Service Vulnerability Fix

2개월 전

Vulnerability Fix.png

Hello Steemians, for the last couple of weeks we have been working on a fix to a Denial of Service vulnerability at the same time we are wrapping up our work on MIRA.

The Vulnerability

The vulnerability involved the pending transaction queue. We've been working on, and testing, various solutions since we were informed of the vulnerability by @netuoso about 2 weeks ago. Due to the nature of the attack, we could not publicly disclose our work on this issue and we even limited knowledge of the vulnerability within the organization to minimize risk.

Witnesses & Exchanges

Earlier today we upgraded our nodes and proposed our fix to the Witnesses all of whom have since upgraded. This fix has been tested on a private testnet on which we were able to demonstrate that it successfully mitigates the underlying issue. All nodes including exchanges should be upgraded as soon as possible with this patch. We will be available for technical support for those exchanges that require it.

This vulnerability was brought to our attention by the Steem community developer, @netuoso. This highlights how important Steem’s amazing developer community is to the protocol. Their continued inspection of the chain, and effective communication of their findings, is a critical component of maintaining a safe and secure network. Thanks again to @netuoso for discovering this vulnerability and helping us develop a patch that resolves the vulnerability.

The Steemit Team

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
STEEMKR.COM IS SPONSORED BY
ADVERTISEMENT
Sort Order:  trending

Thanks for the shoutout. It is rewarding to help deliver an update that benefits the entire ecosystem.

Steem on!

·

Looks like you, @netuouso, are the hero of the day. :) Kudos for actually being on the lookout for something wrong, finding the vulnerability and working to fix it. A perfect trifecta of work and effort.

Now, for those of us who can appreciate this, but aren't certain just what it all may have meant for the pending transaction queue had it been attacked, is there anything you can explain about it that would help me to better understand what you all fixed without making any disclosures that shouldn't be disclosed? If not, that's okay. I'm still thankful for all you did. :)

·
·

A Denial Of Service (DOS) attack is where someone does something to keep the servers busy doing unnecessary work to slow the system down and prevent others from being able to access the service of the server. It would seem that there was a way to cause the transaction que to loop or do some other work that would keep it busy for a lengthy period of time and this was now fixed to prevent such an attack.

·
·
·

Hey, @happyme.

Thanks for the reply.

Right, so just what could have been exploited by slowing down the transaction queue and keeping it busy? Would a DOS attack allow something else to occur, like getting to what was in the transaction queue? I guess I'm trying to understand the magnitude.

·
·
·
·

Generally, a DOS attack is simply so that the server is useless and nobody can use it. It is not a security risk on its own.

·
·
·
·
·

On a DPoS blockchain a DoS can be a GRAVE security threat.

I will leave the reader with an exercise in figuring out how shutting off the networks servers at will (potentially after fixing the issue locally) would be detrimental in a DPoS blockchain

·
·
·
·
·
·

Thanks for that clarification, but you are now using terms way over my head. As a non-programmer, I can only understand stuff as it is explained to me in layman's terms. As far as I know, DOS stands for denial of service, which translates to not being able to serve the clients trying to access the server. Beyond that, I'm as ignorant as one can be about security or anything else technical and haven't a clue what a DPoS blockchain is. D=? but I assume PoS = Proof of Stake, as opposed to Proof of Work (PoW)? How or why those make any difference is way over my head at this time.

·
·
·
·
·

Okay. Thank you. That's what I was wondering, so I appreciate that.

Not sure if you're into token collecting, but for answering my questions, I'm going to send some of these your way. Hopefully it works. :)

!ENGAGE 100

·
·
·
·
·
·

Well, I'll be darned... I already had 150 tokens in the wallet that I didn't even know about! I'm now having all sorts of crazy ideas floating around in my head about the uses for Steem-engine. Thanks again for the tokens and the link to the website!

·
·
·
·
·
·
·

No problem. Maybe @abh12345 sent the others your way? Always nice to find out you have more than you thought you did. :)

As far as the crazy ideas, go for it. Crazy ideas have a way of becoming the next big thing. :)

·
·
·
·
·
·

Sweet! Thank-you! My first engagement tokens.

·
·
·
·
·

Here are your ENGAGE tokens!

To view or trade ENGAGE go to steem-engine.com.

·

Grenat work @netuoso! Thanks for being our protocol guardian angel.

·

Good work!

·

thank you!

·

Oh hey he comes out of hibernation to actually use the steem blockchain this month! haha
But thanks for the fix.

·
·

Wonder what is more important for me to be doing... Commenting and posting about my life and my dogs? Or spending time building a business and working towards improving the security and resilience of the Steem blockchain. Hrmmmmmmmmmmmm.

·
·
·
·

Thanks for spotting this and helping the team to deal with it. Perfect security is impossible, but I would hope the people will work together to make Steem more resilient

·

Thank you!

·

Well done! You have my full upvote sir.

·

Good catch. Thanks!

·

Thanks for monitoring our security.
Good work!

·

Great work and appreciate you keeping your eye out for these things!

Posted using Partiko iOS

·

Outstanding! That is the Steemian Singularity that make this blockchain so very special! GODSPEED!

·
·

🎁 Dear @apostle-thomas,

SteemBet Seed round SPT sale is about to start in 2 days!

When our started the development of SteemBet Dice game, we couldn’t imagine that our game would go so viral and that SteemBet would become one of the pioneers in this field.

In order to give back to our beloved community, we’ll distribute 4000 STEEM to SPT holders immediately after Seed sale. Plus, investors in this earliest round will be given 60% more tokens as reward and overall Return on Investment is estimated at 300%!

Join the whitelist on SteemBet webiste now and start investing! Feel free to ask us anything on Discord https://discord.gg/tNWJEAD

spt-sale-2-day.jpg

·

Thank you! :)

Posted using Partiko Android

·

Thank you! Now we can sleep well!

Amazing demonstration of how a decentralized system is better than a centralized one. FaceBook outages are becoming a monthly affair.

Posted using Partiko iOS

@steemitblog,
Thank you for sharing this update and personally I was not aware about this problem till I read this post!

@netuoso,
Thank you for highlighting such important issues and really appreciate it!

Cheers~

Hi @steemitblog, thanks for sharing. Are you from the Steemit team? Your profile doesn’t say all that much about you. Looks like you follow just 5 people… @roboza @cgame @thecryptofiend @alkafir and @rmach. Those people must be your core team members? Good to know! Anywho, it might be a good idea to update your profile info so that people know more about who you are and what kind of blog you have. Let’s start with something simple. A profile pic!

If you’d like to add a profile pic, click settings and upload a photo… Wait… the “settings” tab can’t do that. First… you actually need to click the “wallet” tab. OK… then you’ll arrive at steemitwallet.com, it’s another website. Don’t worry though… it will all make sense soon. So you’ve arrived at steemitwallet.com to change your profile picture. OK… you’ll notice that you’re not logged in anymore. You need to log into your account a second time using one of those four passwords. Wait… actually, a login window will pop up and suggest that you use the posting key, but that’s actually not right… it’s the active key that does stuff for the wallet. Right? Not sure. From there, click the wallet settings button to upload an image for your profile. So simple! Now click update at the bottom. Great! It’ll take some time to show up but it does show up eventually. Now you want to back to your profile. To return to your profile page, click the tiny “blog” tab hiding in the corner. OK, now we are back in action! Congratulations @steemitblog, you now have a profile picture.

·

Thanks! Lol this actually helped me with what I was looking for

·

Yeah, but you’re probably still logged into your wallet since it hasn’t been auto-signing out when you close your browser.

It’s possible that this has been fixed though. Maybe.

·
·

Humrph, so many steps.

·

Hello, I'm not part of the team. Just a regular Steemian.

·
·

¯\_(ツ)_/¯

I'm a Backup witness, but I have not heard of this solution. Where can I get a mention?

·

Check #witness in steem.chat

Is there another place that you are monitoring for witness related matters?

·
·

I'm already involved in it, but I don't think the content was first disclosed there.
I checked the update through the alarm, but Top witnesses were already updated. Do they have a separate channel?

·
·
·

Oh, you’re not part of the special club? Well that’s weird. I thought we were supposed to have decentralization and transparency and stuff. Why would there be secret clubs of selected witnesses by the chain’s “lead dev team” and single largest stakeholder?

Inquiring minds would like to know. Amirite?

:)

·
·
·
·

Easy (and honest) answer:

Often with security releases it’s important for the top 20 witnesses to be patched prior to the fix being made public in order to ensure uninterrupted service and safety. Even if it were not us (Steemit Inc) proposing a fix, these witnesses should (and do) have an open channel of communication amongst themselves in order to coordinate rolling out these types of patches.

·
·
·
·
·

Oh, so it’s just a chat for top-20 witnesses that’s controlled by those witnesses?

·
·
·
·
·

The public channel you mentioned means "https://steem.chat/channel/witness", but I think there are other special channels. Because some of the witnesses had already been updated to version 20.10 before the updates were released and mentioned on the channel.

As you mentioned, you need a public channel for quick sharing. Is there a condition for accessing channels for special members?

·
·
·
·
·
·

For high risk scenarios like this a private channel for the top 20 witnesses, plus those witnesses close to the top 20, is required for security reasons. Such a channel exists and the only requirement for entry is one's position in the witness rankings. If a witness is in the top 20 they are in that slack. If there is a chance they may enter the top 20 (e.g. if they are close) they should be in that slack and if they are not, they should contact me at andrarchy@steemit.com.

·
·
·
·
·
·
·

It's a long way to top, but thank you for the information. I'll contact you if it gets closer.

·
·
·
·

I don't belong unfortunately............

·
·
·
·
·

Every witness has an opportunity, with Steem's vote-enabled democracy, to rise the ranks to become number one. I would say secondary witnesses are just as important as primary witnesses, in my experience at least. They often build dapps, on-board users, and bring code into the FOSS ecosystem. I appreciate all witnesses and humans in general that contribute their valuable time and effort to push forward blockchain technology.

sounds like there is a low level of trust within the organization... hopefully that improves..

·

This is how IT security traditionally works. There is a "need-to-know" basis around such things. IT admins often have access to highly sensitive information or data and need to keep it quiet.

Something such as a vulnerability shouldn't be discussed with too many people before a fix is made because word of mouth tends to spread quickly.

Kudos to the SteemIt team for keeping things quiet and quickly issuing a fix.

Great job @neutoso and to the Steemit team for fixing it!

What exactly does Ned and the rest of steemit,inc do all day? Is steemit.inc and steemit just a hobby for you guys? What does the new steemit director do? Why does everything move at a snail's pace? Serious question.

·

He is busy downvoting everyone as Bernie Sanders. They say the truth is often stranger than fiction. However the blockchain points to this based on stats. Makes sense why Dan Larimer left. Just a spoiled rich kid.. drunk on power.. spending Daddies money. It's all a joke to him. Also demented in the head like a little kid that pulls the wings off of a bug for fun. Deranged.

Your welcome.

·
·

You have received a negative vote.

·
·
·
·
·

https://steemit.com/idtheft/@isacoin/re-lyndsaybowes-fun-fact-the-account-which-steals-my-id-is-at-a-62-reputation-now-20190423t150141271z

There is a ton of blockchain stats that point to this. I am not here to prove or disprove anything. Just sharing my observation based on massive blockchain evidence. This is not decentralized. And all 'top' witnesses are either one guy or chosen by one guy. Rendering total centralization. The whole thing is a damn charade. A mirage if you will. Take care!

·
·
·
·

You have received a negative vote.

·
·
·
·

I am not talking about anything other than your intention that Bernie is Ned. Do you have any evidence to support that claim? I don't see a ton of blockchain evidence to support that.

This I feel ones more underlines the need for a bounty system for vulnerabilities. Kudus for @netuoso for identifying this bug while forgoing on what currently seems the only, rather meagre insentive of posting about the bug with appropriate @utopian-io tags.

Hey, @steemitblog.

Thanks for the update. I appreciate the idea of keeping the potential vulnerability of a denial of service attack secret except for a select few, and that now that you have the patch employed, you've let us know about it. I am trying to follow these updates as frequently as they come out, and hope that others will too. So keep them coming. :)

I believe it was on the last blog talking about the splitting of condenser and the wallet that someone else and myself brought up some quirks in the steemitwallet. It does not stay logged in, even though the box to do is checked. In order to claim rewards, the page needs to be refreshed (which is the same), but then requires a new login every time. Is this going to be the case going forward, or is there a fix forthcoming? Or is it perhaps something I'm doing or not doing on my end. Since I've never had trouble before the separation being able to login once and stay that way for periods of time, I'm still wondering what's up.

Thanks for any attention anyone can give in this matter. :)

·

I believe this will be fixed, but it is much easier to discuss and address UX issues like this if a PR is submitted and shared. Then I can say whether the PR will be approved or not. Also it may well be the case that a PR has already been submitted, in which case we can skip the discussion and move straight to the meat, "Will this get merged." The goal is to fix all UX issues so that it is a seamless experience, so any poor UX should be resolved.

·
·

Hey, @andrarchy

I think I'm looking at the PR list on steemit/steem's github now. I don't see anything. The most recent thing has to do with the Steem Proposal System (worker proposals via blocktrades), and some median feed update from 29 days ago.

Can anyone submit a pull request? I wouldn't know where to begin. I'm sure there's more technical terms for "stay logged in check box when checked doesn't stay logged in." :) I'm willing to learn, though, I'd just need to be pointed in the direction of some tutorials or something.

·
·
·

Are you using your active key to sign in to steemitwallet.com? The active key is not cached because that would put them at risk re: hacking. If you are using your posting key to sign into steemitwallet, this should not be happening. Also if you sign in with your master password this should not be happening because that is used to derive your posting key which would then be cached.

So if you're using your active key then this is the desired behavior, but if not, let me know as that would be a bug.

·
·
·
·

hey, @andrarchy.

I guess I was using the Active key, which is odd, since I thought I'd changed it to the posting key. However, I just did make the change, and it seems to be doing what I would like it to do, so thanks for the IT help. :)

Thanks @netuoso. Community support is the way to go.

Thank you @netuouso. Amazing demonstration of how a decentralized system is better than a centralized one. FaceBook outages are becoming a monthly affair.

Bugger. I was hoping this had to do with ISPs blocking access to dtube.

Good job @netuoso! A person like you needs to be here

Congratulations @steemitblog! You have completed the following achievement on the Steem blockchain and have been rewarded with new badge(s) :

You received more than 50000 upvotes. Your next target is to reach 55000 upvotes.

You can view your badges on your Steem Board and compare to others on the Steem Ranking
If you no longer want to receive notifications, reply to this comment with the word STOP

Vote for @Steemitboard as a witness to get one more award and increased upvotes!

nice great work move on

Good work and update to #Steem users. Thanks @STeemitblog. Glad we have users like @netuoso - Thanks man!

So this was a vulnerability to the BlockChain itself?

·

Yes. Every piece of software has vulnerabilities, the goal is to make sure they are found and mitigated before they can be leveraged by a malicious actor.

We are getting stronger.

Is that way I could not place an order to buy Steem at a set price?

Dude, WHEN are you releasing SMT?

To listen to the audio version of this article click on the play image.

Brought to you by @tts. If you find it useful please consider upvoting this reply.

Ok that must explain why the reputation scores were all messed up for a while, good work Steemit team.